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[57] ABsnucr 

An improved arrangement for cootrolHng access to 
data files by ocnttpoter users. Access permission bits are 
used in the prior art to separately indicate permissions 
for the file owner and ncmowners to read, write and 
execute the fite contents. An additional access control 
bit is added to each eiecotaMe file. When this bit is set 
to one, the ide n t i fic a t ion of the current user is changed 
to that of the owner of the ezecutabk file. The program 
in the executable file then has access to aU data files 
owned by the same owner. This change is temporary, 
the proper identification being restored when the pro- 
gram is terminated. 
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computer usage by the various users of the system. The 

PROTECTION OF DATA FILE GONmNTS acoouxitiag programs and the accounting files are 

« . ™^^^,r^r^ ^^^^ «.r, r^^T^^w owncd by the same U8«" who has permission to read and 

BACKGROUND OF THE INVENTION ^ accounting file to pennit legular updates. 

1. Field of the InventioD 9 Suppose now that it is desired to permit each user to 
This invention relates to computer systems, and more read from the accounting file the information associated 

particularly, to computer systems having multq)le users with that user's own computer usage. This is certainly a 

and multiple data files. legitimate access purpose so long as the user does not 

2. Description of the Prior Art attempt to read other accounting information which is 
Computer systems are more efficiently operated 10 considered private as &r as he is concerned. 

when there are multiple users, and file storage devices Under the described scheme there is no simple way to 
are more effickntly used whoi many users share stor- permit this Idnd of special purpose daU file access. A 
age space on the same physical device. Each user then general user wishing to read the accounting file cannot 
has the potential for afw«Mng files belcHiging to other do so directly because he will not have nonowner per- 
users. Free access is not generally permissable since files IS mission to read. He cannot execute the general account- 
may contain programs or data of senntive nature. tng programs to read for him and return the information 
Virtually dl computer systems provide means for because he wiU not have nonowner permission to exe- 
protecting sensitive files against access by users legiti- cute the general accounting programs. Such permis- 
matdy present in the computer system but not antho- sions must gencraUy be denied to nonowners to assure 
rtzed to use an files. Hanlware or software control 20 privacy of the accounting fUe contents. This problem is 
mechaniam& are provided to decide at the time of a user further described in the article *^00 in Multics" by J. 
request for file access whether access pernusston is to be M. Orochow, Software - Practice and Experience, Vol. 
granted or denied. In general the information necessary 2, pp. 305-308 (1972). 

S^i^S^^'^^"*"'*^^^""'***"*'''"^ 23 SUMMARY OF TOE INVENTION 

Computer systems have been designed which include The present invention adds a facility to the basic 
elaborate lists idoitifying which users are permitted to protection scheme just described which permits corn- 
access which files for which purposes. The result is a puter users to access a data file for any specific purpose, 
complex internal bookeeping task. As users share pro- This is done by providing for the exe cut ion of a corn- 
grams and data, the lists of permitted functions must be 30 puter jmgram to access Ox file, which program is sup- 
interchanged. See the article "Dynamic Protection plied by Ihe file owner and thus can impose any degree 
Structures" by B. W. Lampson, AFIPS Fall Mnt Com' of ocmbol which the file owner wishes to include. This 
puter Conference, 1969» pp. 27-38. The scheme de- new facility uses an additional file access control bit for 
scribed by LamfMon solves the access permission prob- each stored file of executable program. This additional 
lem in a general way, but the result is so complex that it 35 bit is turned the **set user identification bit** (SUID bit), 
has not found wkie acceptance in the computer field. The user ID which is stored by the computer and is 

This improvement is addressed to the simpler effective to control subsequent file access is changed 

schemes whidb are m wide use. Each user of the ccHn- whenever a stored file containing an executable pro- 

puter system is preasdgned an identification number giam (executable file) is loaded into computer memory 

(user ID). Whenever a user creates a file by reserving 40 for execution and whenever the associated SUID bit is 

file space for his own use, his user ID b stored along set to one. The effective user ID is changed from that of 

with the file to identify the file owner (owner ID). In the actual user to that of the owner of the executable 

creating the file, the owner also specifies certain permis- file. During the execution of the program, therefore, the 

sions which are to be granted or denied to hiinself as current user appears to be the owner of the executable 

owner, and to everyone else as nonowners. Oenerally, 43 fUe and all of die data files accessible to the owner of the 

these permissions are for reading and for writing the executable file are available to the program. The user 

file. This information may be contained in as few as four may request the program to access those data files, and 

tnnary digits or ''permission bits,** a modest addition to the program will operate to satisfy that access request in 

each stored file. Alsa in systems having a common the manner it was designed to do, making whatever 

format for files containing programs and files contain- 50 tests and restricting access in any maimer intended by 

ing data, it is usual to have permission information to the program designer, the actual owner of the execut- 

indicate that the file contents may or may not be loaded ' able file and the data files. For the duration of the pro- 

into the computer and executed as a program. This may gram execution the change in user ID is effective. When 

comprise an additional execute permission bit, or an the program is terminated, as for example the attempted 

additional two bits, separate permissions for owners and 55 execution of a new program, the user ID of the actual 

nonowners. user is restored. 

The described scheme takes into account file identity Under this improved scheme, the prc^em of ac- 
because access control information is stored in associa- counting file access is easily solved. The computer user 
tion with each file individually. User identity is taken who owns the accounting programs and accounting file 
into account in a gross but useful distinction between 60 provides a special program for nonacoounting users 
owner and nonowner. Access purpose is also a factor which reads the accounting file. This special program 
because of the coarse selection between reading, writ- reads the user ID of the actual current user and com- 
ing and execution permissions. pares this with the user ID for the accounting file re- 

A shortcoming with this scheme is its lack of ability cord souglit to be read. If they match, the information 

to include fine distinctions of access purpose. Consider, 65 concerns the requesting user and can therefore be re- 

for example, the problem of arcewring a computer time turned to him. This special program b ^ored in a file 

usage accounting data file. Such a file is used by com* which has nonowner permission for execution, and 

puter time accounting programs to store elapsed time of which has the SUID bit set to one. 
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When the general user executes the tpedal pcognm* 
the SUID bit caom the effective user ID to be changrd 
to the owner ID of the special program* the accounting 
user ID. Thus, during the executksn of the tpeoMl pro- 
gram, access to the acooonting files is allowed by the 3 
owner permissioo Ints of the accounting file. Now the 
user requests the special program to read the account* 
ing file. The special program has the proper permission, 
but the action of the spedal i^ogram b determmed by 
the accounting user who designed the qtecial program. 10 
The special program therdbre reads the actual user ID 
of the requMting user and only returns to him the ac- 
counting information from the accounting file which 
relates to himself. The general user can therefore access 
the accounting files cmly fOT the q>edfic bona fide pur- 15 
pose for which the spedal program was provided by the 
accounting user. After the execution of the special pro- 
gram is tenninated, the effective user ID b restored to 
the user ID of the actual user. 

The accounting file access problem is exemplary of 20 
the type of problem this new ftdfity alieviatea. Other 
applications will become apparent from the fbOowing 
de8cripti<ui of one embodiment <^ the invention. 

BRIEF DESCRIPTiON OF THE DRAWING ^ 

Taken together, 

FIGS, la and 1^ comprise a single Figure showing a 
computer system endx>dying the presoit invention. 

FIG. U illustrates a i^uraUty of files stored in a com- 
puter storage device, having access control information 30 
associated therewith; 

FIG. tb illustrates a digital ocHnputer and its m^nory 
which operate in conjunction with the files stored in the 
previous Figure to embody the present invention. 

DETAILED DESCRIPTION " 

The drawing shows in a stogie Figure (comprising 
FIGS. l0 and 1^ together) a computer tystan ocBDiois- 
ing oonq»uter 1 whk^ accesses file storage 2 by means 
of file contnd 4 and accesses memory 3 by means <^ 40 
memory c(mtrol S. Fdes l(K 11> ^ad 13 contain stored 
program information and are read from file storage 2 
into memory 3 for eiecution by computer 1. Files 13, 
14, 15 and 16 contain stored data Information and are 
read fhun fQe storage 2 into memory 3 in order that the 43 
stored data contenU may be accessed. Computer 1 is 
controlled, for the most part by instructions read firom 
memory 3 and executed by tnstnicti<m decoder 6>. In- 
stmcticm locatkm counter 7 controls the location within 
memory 3 of the stored instruction to be nest executed 50 
by computer 1. 

In computer systems, it is common practice to refer 
to files of programs or data by means of arbitrarily 
chosen symbolic reference names. In keephig with this 
practice files 10 through H will hereinafter be referred 33 
to by such symbolic names as they appear in the Figure, 
e.g., PROGl, EDIT. PROLX, AFILE, BFILB, 
CFILE and PASSWORD, respectively. For conve- 
nienoe, these names will also be used to denote program 
or data contents of the reflective files as well as the files 60 
themselves. Thus PROGl will be used to refer to file 10 
as it appears in file storage 2 and also to the program 
contained in file PROGl after being read into memory 
3 for execution by computer 1. 

As will become apparent the program PROGl regu- 63 
larly accesses the daU AFILE, the program EDIT 
regularly accesses data BFILE and the program 
PROLL regularly accesses data CFILE. Each of these 
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tax files has associated with them various access control 
information including: set user identification bit 101 
(SUID bit), owner identification number 102 (owner 
ID) owner permission bits 103 and nonowner permis- 
non bits 104. This information controls access to stored 
file contents 105 in a manner to be described. 

Each user of the computer system is identified by a 
unlctoe preassigned user identificatioo number 106 (user 
ID) which is retained in the PASSWORD file and 
which is retrieved when the user begins requesting 
computer services. A user may create a new file to 
contahi data or program by reserving space in file stor- 
age 2 for that purpose. The owner ID of the new file is 
then set to be equal to the user ID of the creating user. 
Thus, the creating user is identified as the owner of the 
file. When the new file is thereafter to be accessed, the 
owner ID is onnpared with the user ID of the request- 
ing user. If they match, owner permission bits 103 con- 
trol file usage; if they do not match, nonowner permis- 
sion bits 104 are used. Permission bits 103 and 104 are 
set to values prescribed by the owner when the file is 
created. 

There are three pennission bits each for owners and 
nonowners labeled RD. WR and EX in the Figure 
corresponding to read, write and execute permission, 
req)ectively. When a pennission bit is set to 1, the asso- 
ciated faction is permitted; when set to 0, the Amotion 
is denied. 

In the Figm read, write and execute permisBion, are 
granted for the respective owners of PROGl, EDIT, 
and PROLL. Thus user "TED" with user ID equal to 
18 in the PASSWORD file is permitted to read from the 
contents of the PROGl file, write into the PROGl file, 
and load the contents of tltt PROGl file for ex ecutio n 
as a program. SinuHariy, AFILE^ BFILE and CFILE 
have permissicm for reac^ng and writing by their respec- 
tive owners. Execution permission is denied to both 
owners and nonowoerB of AFILE, BFILE and CFILE 
since these files contain data and now executable pro- 
gram instructions. 

In die Figure aO nonowner pf rmi ss inns are denied for 
PROGl and AFILE. Tlius only user *nED**, the 
owner of PROGl and AFILE, may access them. If user 
'TED** executes PROGl, and if PROGl contains ap- 
propriate read and write instructions, PROOl would be 
cafttble of reading and writing AFILE PROGl could 
therefore r e pr e sen t a program written by user "TBD" 
for matntahring AFILE as a file of private data. 

Nonowners are permitted to read and execute EDIT, 
but not write into the EDIT file. EDIT could therefore 
represent a program provided by user JIM** its owner, 
for public use but with a restriction upon its alteration 
by any user other than its owner. This prevents unau- 
thorized changes from being made in the EDIT pro- 
gram. Nonowners of BFILE are granted both read and 
write permission making it universally available. 
BFILE may be a temporary storage file available to any 
user. 

PROLL has nonowner permission bits similar to 
EDIT, malting PROLL similarly publicly usable but 
privatdy alterable only by user "BOB,** its owner. 
CFILE has no permissions granted for nonowners. 

In the Figure, each file has associated with it an addi- 
tional file access control bit, the set user identification 
bit (SUID bit). When the SUID bit is set to zero for a 
given fOe, the effect of the various permission Ints is 
exactly that which has been so far described; owners 
and nonowners are identified by reference to their user 
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ID as found in the password file, and users who are 202. The access control informatian is conveyed over 
nonowners of a given file are subject to a set of permis- cable 206 to various circuits of computer 1. Similariy, 
sion bits which are distinct from users who are owners. the contents of the PASSWORD file are read into 
Thus user '^'ED " user ID 18, may execute PROOl memory area 202 and the user ID information stored 
(owner permission). PROOl may then access AFILE 5 therein also conveyed over cable 206. 
for reading and writing (owner permissions). User Access to a given file is controlled by 0Qm|»rator 
*TED" may also caD for the execution of EDIT (no- 216» gate circuits 210 through 215 and gate circuit 218. 
nowner permission) and EDIT may then access AFILE The owner ID the file to be acc es s ed u conveyed to 
for reading and writing since the current user of EDIT comparator 216 by cable 206. The effective user ID is 
is also the owner of AFILE (owner permissions). EDIT 10 conveyed from register 208 to oomparRtor 216 by cable 
could not access CFILE under these drcumstances 226. In the event the owner ID sod effective user ID are 
since user *TED'' does not have nonowner permissions. equal, comparator 216 provides an output on lead 217 to 
When the SUID bit is set to one for a given execut- gate dicuits 210» 211, and 212. In the event the owner 
able file, the effective user ID is temporarily altered to ^ effective user ID are w nrqiial, an output is pro- 
be the owner ID of the executable file during the period 15 yj^^ on |ea(i 223 to gate circuits 213» 214, and 215. 
of its execution. Access to any files owned by the owner when the instruction being t^'^^*'^ by computer 1 
of the executable file is therefore controlled by owner requests file access for execution, instruction decoder 6 
permissions. In the I^gure, user •TED** may execute provides an output on lead 209 which is conveyed to 
FROLL (nonowner permission). PROLL has the SUID ^ circuits 212 and 215. When a read access request is 
bit set to one, so that during the execution of PROLL 20 ^ output is provided on lead 221 which is con- 
the effective user ID of user 'TED** is changed from 18 ^ ^ circuits 211 and 214. When a write access 
to the owner ID of PROLL which is 33. User nTO" ^ „^ ^ ^^^^ provided on lead 222 
thus has access to CFILE for reading and wntong ^ conveyed to gate circuits 210 and 213. 
(owner permissions) during the execution of PROLL. ^j^^ permission bits of the file to be accessed arc set 
After PROLL is terminated, the effective user ED of 25 ^ ^ provided over cable 206. Owner 
user 'TED" reverts to the proper value of 18, Tlius p^nnigsiong ^ write, read and execute are conveyed to 

l^^^ "^"^^B?!?f^/J?^ /"I^ ^ circuits 210, 211 and 212, respectively. Nonowner 

"BOB", the owM^ of PROLL and CFILE, for tibe ^.^^ to write, read and exiiu^e are conveyed to 

speafic purpose of acoasmg CI^ S',^!5?f^'^^ v^ circuits 213, 214 and 215, respectively. When any 

nowncrs. The manipulations on CFILE peribrmed by 30 «»rfn»«/«fi hha^w* w«t tn cm^ the 

PROLL is und3^trol of user -BOB", the owner t^L!^^2f!^^ ltS^^u^ M ^ n« 

and presumably the designer of PROLL, so that no^ correyomfaig 

Z^crs can oiy access CFILE through PROLL for ""l^l,^^*!^ Jc^ 

the bona fide purposes and in the mamier which f«P^^^ ^T^Z t?^.?S. S/^' J^LS^ 

PROLL U desi^ ed^opcnnit 35 spon^mg gate drcmts 210 through 2iS are enabled for 

me SUID bifonly h^Ling when the file associ- operatiog on the ^^^^ of «gnak ^ theccrre- 

ated with it is loaded for execudSa as a computer pro- JE^.^^P^*" ^ comparator 216 and mstructKm 

gram. For files containing only data and not executable ^®?Jr^'^' , ^. . «a 

programinstructions,thcSUIDbitha8noeffect.Inthe J^:^^^ moie of the gate circmte 210 

FigSre, the SUID bit is shown set to zero for data files 40 2« produce an <>»^«tj»*^.^j"8 pro- 

AFILE. BFILE, and CFILE, ^ ^^^^ « conveyed to mstruction loca- 

So far this Detailed Description has described the file t^on counts 7 to d«y the access penn^ion requested 

access control information associated with each stored by mstruction decoder 6. An output from gate arcmt 

file, and the function of each piece of information m ^18 causes mstnicdon location counter 7 to alter the 

regulating access to the associated file. It remains now 45 "ormal sequence of program execution by oomput«r 1. 

to complete this Detailed Description by iUustrating an Instead of continuing wiA the program ^quence which 

implementation giving concrete form to this fimctional completes the process of accessing the file for readmg, 

description. To those sldUed in the computer art it is writing or execution, computer 1 begins executing a 

obvious that such an implementation can be expressed sequence which notifies the requcstmg program that 

.cither in terms of acomputer program (software) impl^- 50 access is denied. In the absence of a signal from gate 

mentation or a computer circuitry (hardware) imple- circuit 218 instruction locatwn counter 7 proceeds m 

mentation, the two bang fimctional equivalenu of one the normal manner causing computer 1 to contmue to 

another. It will be understood tiut a ftinctionally equiv^ the next instruction in the program sequence to access 

alent software embodiment is within the scope of the the file as requested. 

inventive contribution herein described. For some pur- 35 As each computer user begins requesting computer 

poses a software embodiment may likely be preferrable services, tiie program first executed on his behalf is the 

in practice. When the construction of one such embodi- program whose name appears in the PASSWORD file 

ment is given the other is wcU within the level of ordi- under the entry for that user. The process of beginning 

nary skill of those versed in digital computer tech- operation with the computer is termed "logging in**, a 

niques. 60 term which reflects the entry of the new user into vari- 

Thc circuitry shown in the Figure controls file access ous internal tables. The sequence of program instruc* 

in the following manner. Computer 1 operates under tions which enters new users into the main stream of 

control of program instructionft stored in monory area computer activities Is termed the LXX>IN sequence. 

201. Instruction location counter 7 addresses each in- Once having logged into the computer, the user may 

struction to be executed. When the executing program 63 call for the execution of any other program stored hi the 

calls for access to a stored file, the file access control files by invoking a program sequence for accessing the 

information of the stored file, such as that shown at 101 file, readmg it in, and beginning its execution. This is 

through 104 for file PRCXjI is read into memory area termed the EXECUTE sequence. Access to an execut- 
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able program fUe is controlled by the aago ci a t ed owner 
and Donowner pennissioa bits. 

During the LOGIN sequence, the contents of the 
PASSWORD Rle is read into memory area 202. The 
user is required to input to the computer his user name 5 
and his private password. The appropriate user entry is 
located in the PASSWORD file and the password 
checked to verify the authenticity of the user service 
request. If the user is bona fide^ instruction decoder 6 
transmits a control ptilse in response to the LOGIN 10 
sequence over lead 203 to gating circuits and 205. 
Thus user ID of the new user, conveyed from memory 
3 via cable 206, is gated into registers 207 and 208 where 
it is stored. Register 207 contains the actual user ID of 
the current system user as obtained from the PASS- 15 
WORD file. Register 208 contains the user ID which 
will be effective to control file access. The contents of 
register 208 may be changed at times other than during 
LOGIN. 

The LOGIN sequence of instructions also obtains 20 
from the PASSWORD file the identity of the program 
to be executed on behalf of the new user. The LOGIN 
sequence terminates by calling for the EXECUTE se- 
quence to begin execution of the named program. 

During the EXECUTE sequence, instruction de- 15 
coder 6 transmits a control pulse over lead 224 to gate 
circuit 225. The contents of register 207 is thereby gated 
into register 208. This resets the effective user ID to the 
value of the current actual user ID cancelling the effect 
of any temporary alteration in the contents of register 30 
208 made by the previously executing program. 

The EXECUTE sequence next calls for access to the 
named stored file for execution causing the appropriate 
file access control information to be read into memory 
area 202 and causing the appropriate owner or no- 35 
nowner execution permission to be checked as previ- 
ously described. 

In response to the EXECUTE sequence, instruction 
decoder 6 next transmits a pulse over lead 219 to gate 
circuit 220. The SUID bit for the file to be executed is 40 
conveyed over cable 206 to gate circuit 220. If the 
SUID bit is zero for the Hie to be executed, gating cir- 
cuit 220 is not enabled and the effective user ID stored 
in register 208 remains equal to the value of the actual 
user ID. If the SUID bit of the file to be executed is set 43 
to one, the coincidence of the SUID bit and the pulse on 
lead 219 enables gate circuit 220 to gate mto register 208 
the owner ID of the file to be executed. The owner ID 
is conveyed to gate circuit 220 over cable 206. The 
effective user ID stored in register 208 is thus set equal 50 
to the owner ID of the file to be executed when the 
SUID bit of the file to be executed is set to one. 

The EXECUTE sequence terminates by reading the 
file contents of the ftle to be executed into memory area 
201 and then transferring control to those instructions. 55 

Any program in execution on computer 1 may call 
for resd or write access to files in storage. When this 
occurs, the appropriate read or write permission bits are 
checked as above described. Either the owner or no- 
nowner permission bits will be checked according to 60 
the owner ID of the file to be accessed and the effective 
user ID of the program in execution as stored in register 
208. If the program in execution has the SUID bit of its 
file access control information set to one, the effective 
user ID is the same as the owner ID of the file contain- 65 
ing the program in execution. In this case, access to any 
file having this same owner ID will be controlled by the 
owner permission bits. If the program in execution has 



the SUID bit of its file access control information set to 
zero, the effective user ID is the user ID of the actual 
user, and file access will be controlled by the owner or 
nonowner permission bits» depending on the owner ID 
of the file to be accessed. 

Any program in execution on computer 1 may call 
for the execution of executable program files in storage. 
When this occurs, the effective user ID stored in regis- 
ter 208 is reset to the value of the actual user ID. Access 
to the executable file is controlled by the owner or 
nonowner pennission bits, depending on the owner ID 
of the executable file to be accessed. 

Details of circuit construction for the various circuit 
elements illustrated may be found in Chapter 9 of Pube, 
Digital, and Switching Waveforms by Millman and Taub, 
McGraw-Hill, 1965, a standard text on the subject. 

What is claimed b: 

1. In a computer system serving at least one external 
current user and having stored at least one fde of exe- 
cutable program instructions owned by a file owner 
different from said current user, 

means for storing access control information in asso- 
ciation with said file, including identiTication of 
said file owner and a control indicator having se- 
lectively either a first or a second binary state, 

means for sensing said ^ist state of said control indi- 
cator, and 

means responsive to said first state of said control 
indicator for changing temporarily the identifica- 
tion of said current user of the computer system to 
that of said file owner during the execution of said 
program instructions, 

whereby said current user selectively may be given 
access by said computer system to files owned by 
said file owner during the execution of said pro- 
gram instructions. 

2. A computer system including file storage and 
memory for serving a multiplicity of external users, 
each user having a unique identification comprising: 

at least one file stored in said file storage containing 
program instructions and having associated there- 
with the identification of the owner of said file and 
a control signal having selectively either a first or a 
second binary state; 

means for storing the identification of the current 
user of said computer system; 

means for loading program instructions from said file 
into said memory for execution by said computer 
on behalf of said current user; 

means for detecting said first state of said control 
signal associated with said file; 

means responsive to said means for detecting for 
changing the identification of the current user to 
the identification of said owner of said file; and 

means for restoring the identification of the current 
user at the end of the execution of said program 
instructions; 

whereby the current user selectively may be given 
access by said computer system to files owned by 
said owner of said file during the execution of said 
program instructions. 

3. A computer system having a multiplicity of stored 
files, each said file having associated a file owner identi- 
fication, means for storing the identification of the ex- 
ternal current user of the computer system, and means 
for accessing a data file including means for comparing 
the owner identification of said data file with the cur- 
rent iiscr identification, for denying access if said identi- 
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fications do aot match* and for permitting access if said 
idfffitifiratkfflf do nifltrhi compiisiiig: 

at least a first stored file of eiecu table program in- 
structions and at least a second stored file of data, 
said first file having associated therewith a control 
inrttcatCTf having selectively either a first or a sec- 
ond tanary state, and said first and second files 
having the same file owner identification, 

means for loading the program instroctiaiu from said 
first stored file for execution by the computer sys- 
tem and for sensing said first state of said control 
indicator, and 

means for changing temporarily the identification of 
the current user to that of the owner of said first 



10 



10 



stmd file in response to said first state of said 
control indicator, 
whereby said means for aocming selectively permits 
access to said second file <^ stored data during the 
execution of said program instructions. 
4. A ooaaaputer system as set forth in claim 3 further 
comprising means for storing the user identification of 
the actual current user of the computer system; 
and, means responsive to said means for storing for 
changing back the identification of the current user 
from that of the owner of the first stored file to that 
the actual current user after the execution of said 
program instructions. 
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